<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
<topic id="topic_n5w_gtd_jr">
  <title>Configuring Client Authentication</title>
  <shortdesc>Describes the available methods for authenticating Greenplum Database
    clients.</shortdesc>
  <body>
    <p>When a Greenplum Database system is first initialized, the system contains one predefined
      superuser role. This role will have the same name as the operating system user who initialized
      the Greenplum Database system. This role is referred to as gpadmin. By default, the system is
      configured to only allow local connections to the database from the gpadmin role. If you want
      to allow any other roles to connect, or if you want to allow connections from remote hosts,
      you have to configure Greenplum Database to allow such connections. This section explains how
      to configure client connections and authentication to Greenplum Database.<ul
        id="ul_kpg_sgq_kr">
        <li><xref href="#topic_ln1_ptd_jr" format="dita"/></li>
        <li><xref href="#topic_xwr_rvd_jr" format="dita"/></li>
        <li><xref href="#topic_nyh_gwd_jr" format="dita"/></li>
        <li><xref href="#topic_hwn_bk2_jr" format="dita"/></li>
        <li><xref href="#topic_ibc_nl2_jr" format="dita"/></li>
      </ul></p>
  </body>
  <topic id="topic_ln1_ptd_jr">
    <title>Allowing Connections to Greenplum Database</title>
    <body>
      <p>Client access and authentication is controlled by a configuration file named
          <codeph>pg_hba.conf</codeph> (the standard PostgreSQL host-based authentication file). For
        detailed information about this file, see <xref
          href="https://www.postgresql.org/docs/9.4/auth-pg-hba-conf.html" format="html"
          scope="external">The pg_hba.conf File</xref> in the PostgreSQL documentation. </p>
      <p>In Greenplum Database, the <codeph>pg_hba.conf</codeph> file of the master instance
        controls client access and authentication to your Greenplum system. The segments also have
          <codeph>pg_hba.conf</codeph> files, but these are already correctly configured to only
        allow client connections from the master host. The segments never accept outside client
        connections, so there is no need to alter the <codeph>pg_hba.conf</codeph> file on segments. </p>
      <p>The general format of the <codeph>pg_hba.conf</codeph> file is a set of records, one per
        line. Blank lines are ignored, as is any text after a # comment character. A record is made
        up of a number of fields which are separated by spaces and/or tabs. Fields can contain white
        space if the field value is quoted. Records cannot be continued across lines. </p>
      <p>A record can have one of seven formats:
        <codeblock>local      &lt;database>  &lt;user>  &lt;auth-method>  [&lt;auth-options>]
host       &lt;database>  &lt;user>  &lt;address>  &lt;auth-method>  [&lt;auth-options>]
hostssl    &lt;database>  &lt;user>  &lt;address>  &lt;auth-method>  [&lt;auth-options>]
hostnossl  &lt;database>  &lt;user>  &lt;address>  &lt;auth-method>  [&lt;auth-options>]
host       &lt;database>  &lt;user>  &lt;IP-address>  &lt;IP-mas>k  &lt;auth-method>  [&lt;auth-options>]
hostssl    &lt;database>  &lt;user>  &lt;IP-address>  &lt;IP-mask>  &lt;auth-method>  [&lt;auth-options>]
hostnossl  &lt;database&lt;  &lt;user>  &lt;IP-address>  &lt;IP-mask>  &lt;auth-method>  [&lt;auth-options>]</codeblock></p>
      <p>The meaning of the <codeph>pg_hba.conf</codeph> fields is as follows: <parml>
          <plentry>
            <pt><codeph>local</codeph></pt>
            <pd>Matches connection attempts using UNIX-domain sockets. Without a record of this
              type, UNIX-domain socket connections are disallowed. </pd>
          </plentry>
          <plentry>
            <pt><codeph>host</codeph></pt>
            <pd>Matches connection attempts made using TCP/IP. Remote TCP/IP connections will not be
              possible unless the server is started with an appropriate value for the
                <codeph>listen_addresses</codeph> server configuration parameter. Greenplum Database
              by default allows connections from all hosts (<codeph>'*'</codeph>).</pd>
          </plentry>
          <plentry>
            <pt><codeph>hostssl</codeph></pt>
            <pd>Matches connection attempts made using TCP/IP, but only when the connection is made
              with SSL encryption. SSL must be enabled at server start time by setting the
                <codeph>ssl</codeph> configuration parameter to on. Requires SSL authentication be
              configured in <codeph>postgresql.conf</codeph>. See <xref
                href="#topic_fzv_wb2_jr/ssl_postgresql" format="dita"/>. </pd>
          </plentry>
          <plentry>
            <pt><codeph>hostnossl</codeph></pt>
            <pd> Matches connection attempts made over TCP/IP that do not use SSL. </pd>
          </plentry>
          <plentry>
            <pt><codeph>database</codeph></pt>
            <pd>Specifies which database names this record matches. The value <codeph>all</codeph>
              specifies that it matches all databases. Multiple database names can be supplied by
              separating them with commas. A separate file containing database names can be
              specified by preceding the file name with <codeph>@</codeph>. </pd>
          </plentry>
          <plentry>
            <pt><codeph>user</codeph></pt>
            <pd>Specifies which database role names this record matches. The value
                <codeph>all</codeph> specifies that it matches all roles. If the specified role is a
              group and you want all members of that group to be included, precede the role name
              with a <codeph>+</codeph>. Multiple role names can be supplied by separating them with
              commas. A separate file containing role names can be specified by preceding the file
              name with <codeph>@</codeph>. </pd>
          </plentry>
          <plentry>
            <pt>
              <codeph>address</codeph>
            </pt>
            <pd>Specifies the client machine addresses that this record matches. This field can
              contain either a host name, an IP address range, or one of the special key words
              mentioned below. </pd>
            <pd>An IP address range is specified using standard numeric notation for the range's
              starting address, then a slash (<codeph>/</codeph>) and a CIDR mask length. The mask
              length indicates the number of high-order bits of the client IP address that must
              match. Bits to the right of this should be zero in the given IP address. There must
              not be any white space between the IP address, the <codeph>/</codeph>, and the CIDR
              mask length.</pd>
            <pd>Typical examples of an IPv4 address range specified this way are
                <codeph>172.20.143.89/32</codeph> for a single host, or
                <codeph>172.20.143.0/24</codeph> for a small network, or
                <codeph>10.6.0.0/16</codeph> for a larger one. An IPv6 address range might look like
                <codeph>::1/128</codeph> for a single host (in this case the IPv6 loopback address)
              or <codeph>fe80::7a31:c1ff:0000:0000/96</codeph> for a small network.
                <codeph>0.0.0.0/0</codeph> represents all IPv4 addresses, and <codeph>::0/0</codeph>
              represents all IPv6 addresses. To specify a single host, use a mask length of 32 for
              IPv4 or 128 for IPv6. In a network address, do not omit trailing zeroes.</pd>
            <pd>An entry given in IPv4 format will match only IPv4 connections, and an entry given
              in IPv6 format will match only IPv6 connections, even if the represented address is in
              the IPv4-in-IPv6 range. <note>Entries in IPv6 format will be rejected if the host
                system C library does not have support for IPv6 addresses.</note></pd>
            <pd>You can also write <codeph>all</codeph> to match any IP address,
                <codeph>samehost</codeph> to match any of the server's own IP addresses, or
                <codeph>samenet</codeph> to match any address in any subnet to which the server is
              directly connected.</pd>
            <pd>If a host name is specified (an address that is not an IP
              address, IP range, or special key word is treated as a host name), that name is
              compared with the result of a reverse name resolution of the client IP address (for
              example, reverse DNS lookup, if DNS is used). Host name comparisons are case
              insensitive. If there is a match, then a forward name resolution (for example, forward
              DNS lookup) is performed on the host name to check whether any of the addresses it
              resolves to are equal to the client IP address. If both directions match, then the
              entry is considered to match. </pd>
            <pd>The host name that is used in <codeph>pg_hba.conf</codeph> should be the one that
              address-to-name resolution of the client's IP address returns, otherwise the line
              won't be matched. Some host name databases allow associating an IP address with
              multiple host names, but the operating system will only return one host name when
              asked to resolve an IP address.</pd>
            <pd>A host name specification that starts with a dot (.) matches a suffix of the actual
              host name. So <codeph>.example.com</codeph> would match
                <codeph>foo.example.com</codeph> (but not just <codeph>example.com</codeph>).</pd>
            <pd>When host names are specified in <codeph>pg_hba.conf</codeph>, you should ensure
              that name resolution is reasonably fast. It can be advantageous to set up a local name
              resolution cache such as <codeph>nscd</codeph>. Also, you can enable the server
              configuration parameter <codeph>log_hostname</codeph> to see the client host name
              instead of the IP address in the log. </pd>
          </plentry>
          <plentry>
            <pt><codeph>IP-address</codeph></pt>
            <pt><codeph>IP-mask</codeph>
            </pt>
            <pd>These two fields can be used as an alternative to the CIDR address notation. Instead
              of specifying the mask length, the actual mask is specified in a separate column. For
              example, <codeph>255.0.0.0</codeph> represents an IPv4 CIDR mask length of 8, and
                <codeph>255.255.255.255</codeph> represents a CIDR mask length of 32. </pd>
          </plentry>
          <plentry>
            <pt>
              <codeph>auth-method</codeph>
            </pt>
            <pd> Specifies the authentication method to use when a connection matches this record.
              See <xref href="#topic_nyh_gwd_jr" format="dita"/> for options. </pd>
          </plentry>
          <plentry>
            <pt><codeph>auth-options</codeph></pt>
            <pd>After the <codeph>auth-method</codeph> field, there can be field(s) of the form
                <varname>name=value</varname> that specify options for the authentication method.
              Details about which options are available for which authentication methods are
              described in <xref href="#topic_nyh_gwd_jr" format="dita"/>.</pd>
          </plentry>
        </parml></p>
      <p>Files included by @ constructs are read as lists of names, which can be separated by either
        whitespace or commas. Comments are introduced by #, just as in <codeph>pg_hba.conf</codeph>,
        and nested @ constructs are allowed. Unless the file name following @ is an absolute path,
        it is taken to be relative to the directory containing the referencing file.</p>
      <p>The <codeph>pg_hba.conf</codeph> records are examined sequentially for each connection
        attempt, so the order of the records is significant. Typically, earlier records will have
        tight connection match parameters and weaker authentication methods, while later records
        will have looser match parameters and stronger authentication methods. For example, you
        might wish to use <codeph>trust</codeph> authentication for local TCP/IP connections but require a password
        for remote TCP/IP connections. In this case a record specifying <codeph>trust</codeph> authentication for
        connections from 127.0.0.1 would appear before a record specifying <codeph>password</codeph> authentication
        for a wider range of allowed client IP addresses.</p>
      <p>The <codeph>pg_hba.conf</codeph> file is read on start-up and when the main server process
        receives a SIGHUP signal. If you edit the file on an active system, you must reload the file
        using this command:<codeblock>$ gpstop -u</codeblock></p>
      <note type="caution">For a more secure system, remove records for remote connections that use
        <codeph>trust</codeph> authentication from the <codeph>pg_hba.conf</codeph> file. <codeph>trust</codeph> authentication grants
        any user who can connect to the server access to the database using any role they specify.
        You can safely replace <codeph>trust</codeph> authentication with <codeph>ident</codeph> authentication for local UNIX-socket
        connections. You can also use <codeph>ident</codeph> authentication for local and remote TCP clients, but the
        client host must be running an ident service and you must <codeph>trust</codeph> the integrity of that
        machine.</note>
    </body>
  </topic>
  <topic id="topic_xwr_rvd_jr">
    <title>Editing the pg_hba.conf File</title>
    <body>
      <p>Initially, the <codeph>pg_hba.conf</codeph> file is set up with generous permissions for
        the gpadmin user and no database access for other Greenplum Database roles. You will need to
        edit the <codeph>pg_hba.conf</codeph> file to enable users' access to databases and to
        secure the gpadmin user. Consider removing entries that have <codeph>trust</codeph> authentication, since
        they allow anyone with access to the server to connect with any role they choose. For local
        (UNIX socket) connections, use <codeph>ident</codeph> authentication, which requires the operating system
        user to match the role specified. For local and remote TCP connections, <codeph>ident</codeph> authentication
        requires the client's host to run an indent service. You could install an ident service on
        the master host and then use <codeph>ident</codeph> authentication for local TCP connections, for example
          <codeph>127.0.0.1/28</codeph>. Using <codeph>ident</codeph> authentication for remote TCP connections is
        less secure because it requires you to trust the integrity of the ident service on the
        client's host. </p>
      <note otherprops="pivotal"> Greenplum Command Center provides an interface for editing the
          <codeph>pg_hba.conf</codeph> file. It verifies entries before you save them, keeps a
        version history of the file so that you can reload a previous version of the file, and
        reloads the file into Greenplum Database. </note>
      <p>This example shows how to edit the <codeph>pg_hba.conf</codeph> file on the master host to
        allow remote client access to all databases from all roles using encrypted password
        authentication. </p>
      <p>To edit <codeph>pg_hba.conf</codeph>:<ol id="ol_krz_zvd_jr">
          <li>Open the file <codeph>$MASTER_DATA_DIRECTORY/pg_hba.conf</codeph> in a text
            editor.</li>
          <li>Add a line to the file for each type of connection you want to allow. Records are read
            sequentially, so the order of the records is significant. Typically, earlier records
            will have tight connection match parameters and weaker authentication methods, while
            later records will have looser match parameters and stronger authentication methods. For
            example:<codeblock># allow the gpadmin user local access to all databases
# using ident authentication
local   all   gpadmin   ident         sameuser
host    all   gpadmin   127.0.0.1/32  ident
host    all   gpadmin   ::1/128       ident
# allow the 'dba' role access to any database from any
# host with IP address 192.168.x.x and use md5 encrypted
# passwords to authenticate the user
# Note that to use SHA-256 encryption, replace md5 with
# password in the line below
host    all   dba   192.168.0.0/32  md5</codeblock></li>
        </ol></p>
    </body>
  </topic>
  <topic id="topic_nyh_gwd_jr">
    <title>Authentication Methods</title>
    <body>
      <ul id="ul_qgp_1jq_kr">
        <li>
          <xref href="#topic_nyh_gwd_jr/basic_auth" format="dita"/>
        </li>
        <li>
          <xref href="#topic_nyh_gwd_jr/kerberos_auth" format="dita"/>
        </li>
        <li>
          <xref href="#topic_nyh_gwd_jr/ldap_auth" format="dita"/>
        </li>
        <li>
          <xref href="#topic_fzv_wb2_jr" format="dita"/>
        </li>
        <li>
          <xref href="#topic_yxp_5h2_jr" format="dita"/>
        </li>
        <li>
          <xref href="#topic_ed4_d32_jr" format="dita"/>
        </li>
      </ul>
      <section id="basic_auth">
        <title>Basic Authentication</title>
        <p>
          <parml id="ul_zsk_kwd_jr">
            <plentry>
              <pt>Trust</pt>
              <pd>Allows the connection unconditionally, without the need for a password or any
                other authentication. This entry is required for the <codeph>gpadmin</codeph> role,
                and for Greenplum utilities (for example <codeph>gpinitsystem</codeph>,
                  <codeph>gpstop</codeph>, or <codeph>gpstart</codeph> amongst others) that need to
                connect between nodes without prompting for input or a password. </pd>
              <pd>
                <note type="important">For a more secure system, remove records for remote
                  connections that use <codeph>trust</codeph> authentication from
                    the <codeph>pg_hba.conf</codeph> file. <codeph>trust</codeph> authentication
                  grants any user who can connect to the server access to the database using any
                  role they specify. You can safely replace <codeph>trust</codeph> authentication
                  with <codeph>ident</codeph> authentication for local UNIX-socket connections. You
                  can also use <codeph>ident</codeph> authentication for local and remote TCP
                  clients, but the client host must be running an ident service and you must
                    <codeph>trust</codeph> the integrity of that machine.</note>
              </pd>
            </plentry>
            <plentry>
              <pt>Reject</pt>
              <pd>Reject the connections with the matching parameters. You should typically use this
                to restrict access from specific hosts or insecure connections.</pd>
            </plentry>
            <plentry>
              <pt>Ident</pt>
              <pd>Authenticates based on the client's operating system user name. This is secure for
                local socket connections. Using <codeph>ident</codeph> for TCP connections from remote hosts requires
                that the client's host is running an ident service. The <codeph>ident</codeph> authentication method
                should only be used with remote hosts on a trusted, closed network. </pd>
            </plentry>
            <plentry>
              <pt>md5</pt>
              <pd>Require the client to supply a double-MD5-hashed password for authentication.
              </pd>
            </plentry>
            <plentry>
              <pt>password</pt>
              <pd>Require the client to supply an unencrypted password for authentication. Since the
                password is sent in clear text over the network, this should not be used on
                untrusted networks.</pd>
            </plentry>
          </parml>
        </p>
        <p>The password-based authentication methods are <codeph>md5</codeph> and
            <codeph>password</codeph>. These methods operate similarly except for the way that the
          password is sent across the connection: MD5-hashed and clear-text respectively. </p>
        <p>If you are at all concerned about password "sniffing" attacks then <codeph>md5</codeph>
          is preferred. Plain <codeph>password</codeph> should always be avoided if possible. If the
          connection is protected by SSL encryption then <codeph>password</codeph> can be used
          safely (although SSL certificate authentication might be a better choice if you are
          depending on using SSL).</p>
        <p>Following are some sample <codeph>pg_hba.conf</codeph> basic authentication
          entries:<codeblock>hostnossl    all   all        0.0.0.0   reject
hostssl      all   testuser   0.0.0.0/0 md5
local        all   gpuser               ident</codeblock></p>
      </section>
      <p>Or:</p>
      <codeblock>
local    all           gpadmin         ident 
host     all           gpadmin         localhost      trust 
host     all           gpadmin         mdw            trust 
local    replication   gpadmin         ident 
host     replication   gpadmin         samenet       trust 
host     all           all             0.0.0.0/0     md5</codeblock>
      <section id="kerberos_auth">
        <title>GSSAPI Authentication</title>
        <p>GSSAPI is an industry-standard protocol for secure authentication defined in RFC 2743.
          Greenplum Database supports GSSAPI with Kerberos authentication according to RFC 1964.
          GSSAPI provides automatic authentication (single sign-on) for systems that support it. The
          authentication itself is secure, but the data sent over the database connection will be
          sent unencrypted unless SSL is used.</p>
        <p>The <codeph>gss</codeph> authentication method is only available for TCP/IP
          connections.</p>
        <p>When GSSAPI uses Kerberos, it uses a standard principal in the format
            <varname>servicename/hostname@realm</varname>. The Greenplum Database server will accept
          any principal that is included in the keytab file used by the server, but care needs to be
          taken to specify the correct principal details when making the connection from the client
          using the <codeph>krbsrvname</codeph> connection parameter. (See <xref
            href="https://www.postgresql.org/docs/9.4/libpq-connect.html#LIBPQ-PARAMKEYWORDS"
            format="html" scope="external">Connection Parameter Key Words</xref> in the PostgreSQL
          documentation.) In most environments, this parameter never needs to be changed. Some
          Kerberos implementations might require a different service name, such as Microsoft Active
          Directory, which requires the service name to be in upper case (POSTGRES).</p>
        <p><varname>hostname</varname> is the fully qualified host name of the server machine. The
          service principal's realm is the preferred realm of the server machine.</p>
        <p>Client principals must have their Greenplum Database user name as their first component,
          for example <codeph>gpusername@realm</codeph>. Alternatively, you can use a user name
          mapping to map from the first component of the principal name to the database user name.
          By default, Greenplum Database does not check the realm of the client. If you have
          cross-realm authentication enabled and need to verify the realm, use the
            <codeph>krb_realm</codeph> parameter, or enable <codeph>include_realm</codeph> and use
          user name mapping to check the realm.</p>
        <p>Make sure that your server keytab file is readable (and preferably only readable) by the
          <codeph>gpadmin</codeph> server account. The location of the key file is specified by the <xref
            href="../../ref_guide/config_params/guc-list.xml#krb_server_keyfile"/> configuration
          parameter. For security reasons, it is recommended to use a separate keytab just for the
          Greenplum Database server rather than opening up permissions on the system keytab
          file.</p>
        <p>The keytab file is generated by the Kerberos software; see the Kerberos documentation for
          details. The following example is for MIT-compatible Kerberos 5 implementations:</p>
        <codeblock>kadmin% <b>ank -randkey postgres/server.my.domain.org</b>
kadmin% <b>ktadd -k krb5.keytab postgres/server.my.domain.org</b></codeblock>
        <p>When connecting to the database make sure you have a ticket for a principal matching the
          requested database user name. For example, for database user name <codeph>fred</codeph>,
          principal <codeph>fred@EXAMPLE.COM</codeph> would be able to connect. To also allow
          principal <codeph>fred/users.example.com@EXAMPLE.COM</codeph>, use a user name map, as
          described in <xref href="https://www.postgresql.org/docs/9.4/auth-username-maps.html"
            format="html" scope="external">User Name Maps</xref> in the PostgreSQL documentation.</p>
        <p>The following configuration options are supported for GSSAPI: </p>
        <parml>
          <plentry>
            <pt><codeph>include_realm</codeph></pt>
            <pd>If set to 1, the realm name from the authenticated user principal is included in the
              system user name that is passed through user name mapping. This is the recommended
              configuration as, otherwise, it is impossible to differentiate users with the same
              username who are from different realms. The default for this parameter is 0 (meaning
              to not include the realm in the system user name) but may change to 1 in a future
              version of Greenplum Database. You can set it explicitly to avoid any issues when
              upgrading.</pd>
          </plentry>
          <plentry>
            <pt><codeph>map</codeph></pt>
            <pd>Allows for mapping between system and database user names. For a GSSAPI/Kerberos
              principal, such as <codeph>username@EXAMPLE.COM</codeph> (or, less commonly,
                <codeph>username/hostbased@EXAMPLE.COM</codeph>), the default user name used for
              mapping is <codeph>username</codeph> (or <codeph>username/hostbased</codeph>,
              respectively), unless <codeph>include_realm</codeph> has been set to 1 (as
              recommended, see above), in which case <codeph>username@EXAMPLE.COM</codeph> (or
                <codeph>username/hostbased@EXAMPLE.COM</codeph>) is what is seen as the system
              username when mapping. </pd>
          </plentry>
        </parml>
        <parml>
          <plentry>
            <pt><codeph>krb_realm</codeph></pt>
            <pd>
              <p>Sets the realm to match user principal names against. If this parameter is set,
                only users of that realm will be accepted. If it is not set, users of any realm can
                connect, subject to whatever user name mapping is done.</p>
            </pd>
          </plentry>
        </parml>
      </section>
      <section id="ldap_auth">
        <title>LDAP Authentication</title>
        <p>You can authenticate against an LDAP directory.</p>
        <ul>
          <li>LDAPS and LDAP over TLS options encrypt the connection to the LDAP server.</li>
          <li>The connection from the client to the server is not encrypted unless SSL is enabled.
            Configure client connections to use SSL to encrypt connections from the client.</li>
          <li>To configure or customize LDAP settings, set the <codeph>LDAPCONF</codeph> environment
            variable with the path to the <codeph>ldap.conf</codeph> file and add this to the
              <codeph>greenplum_path.sh</codeph> script.</li>
        </ul>
        <p>Following are the recommended steps for configuring your system for LDAP authentication: <ol>
            <li> Set up the LDAP server with the database users/roles to be authenticated via
              LDAP.</li>
            <li>On the database:<ol>
                <li>Verify that the database users to be authenticated via LDAP exist on the
                  database. LDAP is only used for verifying username/password pairs, so the roles
                  should exist in the database.</li>
                <li>Update the <codeph>pg_hba.conf</codeph> file in the
                    <codeph>$MASTER_DATA_DIRECTORY</codeph> to use LDAP as the authentication method
                  for the respective users. Note that the first entry to match the user/role in the
                    <codeph>pg_hba.conf</codeph> file will be used as the authentication mechanism,
                  so the position of the entry in the file is important.</li>
                <li>Reload the server for the <codeph>pg_hba.conf</codeph> configuration settings to
                  take effect (<codeph>gpstop -u</codeph>).</li>
              </ol>
            </li>
          </ol></p>
        <p>Specify the following parameter <codeph>auth-options</codeph>. <parml>
            <plentry>
              <pt>ldapserver</pt>
              <pd>Names or IP addresses of LDAP servers to connect to. Multiple servers may be
                specified, separated by spaces.</pd>
            </plentry>
            <plentry>
              <pt>ldapprefix</pt>
              <pd>String to prepend to the user name when forming the DN to bind as, when doing
                simple bind authentication.</pd>
            </plentry>
            <plentry>
              <pt>ldapsuffix</pt>
              <pd>String to append to the user name when forming the DN to bind as, when doing
                simple bind authentication.</pd>
            </plentry>
            <plentry>
              <pt>ldapport</pt>
              <pd>Port number on LDAP server to connect to. If no port is specified, the LDAP
                library's default port setting will be used.</pd>
            </plentry>
            <plentry>
              <pt>ldaptls</pt>
              <pd>Set to 1 to make the connection between PostgreSQL and the LDAP server use TLS
                encryption. Note that this only encrypts the traffic to the LDAP server — the
                connection to the client will still be unencrypted unless SSL is used.</pd>
            </plentry>
            <plentry>
              <pt>ldapbasedn</pt>
              <pd>Root DN to begin the search for the user in, when doing search+bind
                authentication.</pd>
            </plentry>
            <plentry>
              <pt>ldapbinddn</pt>
              <pd>DN of user to bind to the directory with to perform the search when doing
                search+bind authentication.</pd>
            </plentry>
            <plentry>
              <pt>ldapbindpasswd</pt>
              <pd>Password for user to bind to the directory with to perform the search when doing
                search+bind authentication.</pd>
            </plentry>
            <plentry>
              <pt>ldapsearchattribute</pt>
              <pd>Attribute to match against the user name in the search when doing search+bind
                authentication.</pd>
            </plentry>
          </parml>
        </p>
        <p>Example:
          <codeblock>ldapserver=ldap.greenplum.com prefix="cn=" suffix=", dc=greenplum, dc=com"</codeblock></p>
        <p>Following are sample <codeph>pg_hba.conf</codeph> file entries for LDAP authentication:
          <codeblock>host all testuser 0.0.0.0/0 ldap ldap
ldapserver=ldapserver.greenplum.com ldapport=389 ldapprefix="cn=" ldapsuffix=",ou=people,dc=greenplum,dc=com"
hostssl   all   ldaprole   0.0.0.0/0   ldap
ldapserver=ldapserver.greenplum.com ldaptls=1 ldapprefix="cn=" ldapsuffix=",ou=people,dc=greenplum,dc=com"</codeblock></p>
      </section>
    </body>
  </topic>
  <topic id="topic_fzv_wb2_jr">
    <title>SSL Client Authentication</title>
    <body>
      <p>SSL authentication compares the Common Name (cn) attribute of an SSL certificate provided
        by the connecting client during the SSL handshake to the requested database user name. The
        database user should exist in the database. A map file can be used for mapping between
        system and database user names. </p>
      <section>
        <title>SSL Authentication Parameters</title>
        <p>Authentication method:<ul id="ul_fr4_fc2_jr">
            <li>Cert<p>Authentication options:<parml>
                  <plentry>
                    <pt>Hostssl</pt>
                    <pd>Connection type must be hostssl.</pd>
                  </plentry>
                  <plentry>
                    <pt>map=<varname>mapping</varname></pt>
                    <pd>mapping. </pd>
                    <pd>This is specified in the <codeph>pg_ident.conf</codeph>, or in the file
                      specified in the <codeph>ident_file</codeph> server setting.</pd>
                  </plentry>
                </parml></p><p>Following are sample <codeph>pg_hba.conf</codeph> entries for SSL
                client
                authentication:<codeblock>Hostssl testdb certuser 192.168.0.0/16 cert
Hostssl testdb all 192.168.0.0/16 cert map=gpuser
</codeblock></p></li>
          </ul></p>
      </section>
      <section id="openssl_config">
        <title>OpenSSL Configuration</title>
        <p>You can make changes to the OpenSSL configuration by updating the
            <codeph>openssl.cnf</codeph> file under your OpenSSL installation directory, or the file
          referenced by <codeph>$OPENSSL_CONF</codeph>, if present, and then restarting the
          Greenplum Database server.</p>
      </section>
      <section id="create_a_cert">
        <title>Creating a Self-Signed Certificate</title>
        <p>A self-signed certificate can be used for testing, but a certificate signed by a
          certificate authority (CA) (either one of the global CAs or a local one) should be used in
          production so that clients can verify the server's identity. If all the clients are local
          to the organization, using a local CA is recommended. </p>
        <p>To create a self-signed certificate for the server:<ol id="ol_qpr_p4x_kr">
            <li>Enter the following <codeph>openssl</codeph>
              command:<codeblock>openssl req -new -text -out server.req</codeblock></li>
            <li>Enter the requested information at the prompts. <p>Make sure you enter the local
                host name for the Common Name. The challenge password can be left blank. </p></li>
            <li>The program generates a key that is passphrase-protected; it does not accept a
              passphrase that is less than four characters long. To remove the passphrase (and you
              must if you want automatic start-up of the server), run the following
              command:
              <codeblock>openssl rsa -in privkey.pem -out server.key
rm privkey.pem</codeblock></li>
            <li>Enter the old passphrase to unlock the existing key. Then run the following
                command:<codeblock>openssl req -x509 -in server.req -text -key server.key -out server.crt</codeblock><p>This
                turns the certificate into a self-signed certificate and copies the key and
                certificate to where the server will look for them. </p></li>
            <li>Finally, run the following
              command:<codeblock>chmod og-rwx server.key</codeblock></li>
          </ol></p>
        <p>For more details on how to create your server private key and certificate, refer to the
          OpenSSL documentation. </p>
      </section>
      <section id="ssl_postgresql">
        <title>Configuring postgresql.conf for SSL Authentication</title>
        <p>The following Server settings need to be specified in the
            <codeph>postgresql.conf</codeph> configuration file: <ul id="ul_bzs_b22_jr">
            <li><codeph>ssl</codeph>
              <i>boolean</i>. Enables SSL connections.</li>
            <li><codeph>ssl_renegotiation_limit</codeph>
              <i>integer</i>. Specifies the data limit before key renegotiation.</li>
            <li><codeph>ssl_ciphers</codeph>
              <i>string</i>. Configures the list SSL ciphers that are allowed.
                <codeph>ssl_ciphers</codeph>
              <i>overrides</i> any ciphers string specified in <codeph>/etc/openssl.cnf</codeph>.
              The default value <codeph>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</codeph> enables all
              ciphers except for ADH, LOW, EXP, and MD5 ciphers, and prioritizes ciphers by their
              strength.
              <note>With TLS 1.2 some ciphers in MEDIUM and HIGH strength still use NULL encryption
                (no encryption for transport), which the default <codeph>ssl_ciphers</codeph> string
                allows. To bypass NULL ciphers with TLS 1.2 use a string such as
                  <codeph>TLSv1.2:!eNULL:!aNULL</codeph>.<p>It is possible to have authentication
                  without encryption overhead by using <codeph>NULL-SHA</codeph> or
                    <codeph>NULL-MD5</codeph> ciphers. However, a man-in-the-middle could read and
                  pass communications between client and server. Also, encryption overhead is
                  minimal compared to the overhead of authentication. For these reasons, NULL
                  ciphers should not be used.</p></note></li>
          </ul></p>
        <p>The default location for the following SSL server files is the Greenplum Database master
          data directory (<codeph>$MASTER_DATA_DIRECTORY</codeph>): <ul id="ul_gzs_b22_jr">
            <li><codeph>server.crt</codeph> - Server certificate.</li>
            <li><codeph>server.key</codeph> - Server private key.</li>
            <li><codeph>root.crt</codeph> - Trusted certificate authorities.</li>
            <li><codeph>root.crl</codeph> - Certificates revoked by certificate authorities.</li>
          </ul></p>
        <p>If Greenplum Database master mirroring is enabled with SSL client authentication, the SSL
          server files <i>should not be placed</i> in the default directory
            <codeph>$MASTER_DATA_DIRECTORY</codeph>. If a <codeph>gpinitstandby</codeph> operation
          is performed, the contents of <codeph>$MASTER_DATA_DIRECTORY</codeph> is copied from the
          master to the standby master and the incorrect SSL key, and cert files (the master files,
          and not the standby master files) will prevent standby master start up. </p>
        <p>You can specify a different directory for the location of the SSL server files with the
            <codeph>postgresql.conf</codeph> parameters <codeph>sslcert</codeph>,
            <codeph>sslkey</codeph>, <codeph>sslrootcert</codeph>, and <codeph>sslcrl</codeph>.</p>
      </section>
      <section id="config_ssl_client_conn">
        <title>Configuring the SSL Client Connection</title>
      </section>
      <p>SSL options:<parml>
          <plentry>
            <pt>sslmode</pt>
            <pd>Specifies the level of protection.<parml>
                <plentry>
                  <pt>
                    <codeph>require</codeph>
                  </pt>
                  <pd>Only use an SSL connection. If a root CA file is present, verify the
                    certificate in the same way as if <codeph>verify-ca</codeph> was specified.</pd>
                </plentry>
                <plentry>
                  <pt>
                    <codeph>verify-ca</codeph>
                  </pt>
                  <pd>Only use an SSL connection. Verify that the server certificate is issued by a
                    trusted CA.</pd>
                </plentry>
                <plentry>
                  <pt>
                    <codeph>verify-full</codeph>
                  </pt>
                  <pd>Only use an SSL connection. Verify that the server certificate is issued by a
                    trusted CA and that the server host name matches that in the certificate.</pd>
                </plentry>
              </parml></pd>
          </plentry>
          <plentry>
            <pt>sslcert</pt>
            <pd>The file name of the client SSL certificate. The default is
                <codeph>$MASTER_DATA_DIRECTORY/postgresql.crt</codeph>. </pd>
          </plentry>
          <plentry>
            <pt>sslkey</pt>
            <pd>The secret key used for the client certificate. The default is
                <codeph>$MASTER_DATA_DIRECTORY/postgresql.key</codeph>.</pd>
          </plentry>
          <plentry>
            <pt>sslrootcert</pt>
            <pd>The name of a file containing SSL Certificate Authority certificate(s). The default
              is <codeph>$MASTER_DATA_DIRECTORY/root.crt</codeph>.</pd>
          </plentry>
          <plentry>
            <pt>sslcrl</pt>
            <pd>The name of the SSL certificate revocation list. The default is
                <codeph>$MASTER_DATA_DIRECTORY/root.crl</codeph>.</pd>
          </plentry>
        </parml></p>
      <p>The client connection parameters can be set using the following environment variables:<ul
          id="ul_yph_5g2_jr">
          <li><codeph>sslmode</codeph> – <codeph>PGSSLMODE</codeph></li>
          <li><codeph>sslcert</codeph> – <codeph>PGSSLCERT</codeph></li>
          <li><codeph>sslkey</codeph> – <codeph>PGSSLKEY</codeph></li>
          <li><codeph>sslrootcert</codeph> – <codeph>PGSSLROOTCERT</codeph></li>
          <li><codeph>sslcrl</codeph> – <codeph>PGSSLCRL</codeph> </li>
        </ul></p>
      <p>For example, run the following command to connect to the <codeph>postgres</codeph> database
        from <codeph>localhost</codeph> and verify the certificate present in the default location
        under <codeph>$MASTER_DATA_DIRECTORY</codeph>:
        <codeblock>psql "sslmode=verify-ca host=localhost dbname=postgres"</codeblock></p>
    </body>
  </topic>
  <topic id="topic_yxp_5h2_jr">
    <title>PAM-Based Authentication</title>
    <body>
      <p>The "PAM" (Pluggable Authentication Modules) authentication method validates
        username/password pairs, similar to basic authentication. To use PAM
        authentication, the user must already exist as a Greenplum Database role name.</p>
      <p>Greenplum uses the <codeph>pamservice</codeph> authentication parameter
        to identify the service from which to obtain the PAM configuration.</p>
      <note>If PAM is set up to read <codeph>/etc/shadow</codeph>, authentication will
        fail because the PostgreSQL server is started by a non-root user. This is not
        an issue when PAM is configured to use LDAP or another authentication method.</note>
      <p>Greenplum Database does not install a PAM configuration file. If you choose
        to use PAM authentication with Greenplum, you must identify the PAM service
        name for Greenplum and create the associated PAM service configuration file
        and configure Greenplum Database to use PAM authentication as described below:</p>
      <ol>
        <li>Log in to the Greenplum Database master host and set up your environment.
          For example:<codeblock>$ ssh gpadmin@&lt;gpmaster&gt;
gpadmin@gpmaster$ . /usr/local/greenplum-db/greenplum_path.sh</codeblock></li>
        <li>Identify the <codeph>pamservice</codeph> name for Greenplum Database. In
          this procedure, we choose the name <codeph>greenplum</codeph>.</li>
        <li>Create the PAM service configuration file, <codeph>/etc/pam.d/greenplum</codeph>,
          and add the text below. You must have operating system superuser
          privileges to create the <codeph>/etc/pam.d</codeph> directory (if
          necessary) and the <codeph>greenplum</codeph> PAM configuration file.
<codeblock>#%PAM-1.0
auth		include		password-auth
account		include		password-auth
</codeblock>
          <p>This configuration instructs PAM to authenticate the local operating
            system user.</p></li>
        <li>Ensure that the <codeph>/etc/pam.d/greenplum</codeph> file is readable
          by all users: <codeblock>sudo chmod 644 /etc/pam.d/greenplum</codeblock></li>
        <li>Add one or more entries to the <codeph>pg_hba.conf</codeph> configuration
          file to enable PAM authentication in Greenplum Database. These entries must
          specify the <codeph>pam</codeph> <i>auth-method</i>. You must also specify
          the <codeph>pamservice=greenplum</codeph> <i>auth-option</i>. For example:
<codeblock>
host     &lt;user-name>     &lt;db-name>     &lt;address>     pam     pamservice=greenplum
</codeblock></li>
        <li>Reload the Greenplum Database configuration:
          <codeblock>$ gpstop -u</codeblock></li>
      </ol>
    </body>
  </topic>
  <topic id="topic_ed4_d32_jr">
    <title>Radius Authentication</title>
    <body>
      <p>RADIUS (Remote Authentication Dial In User Service) authentication works by sending an
        Access Request message of type 'Authenticate Only' to a configured RADIUS server. It
        includes parameters for user name, password (encrypted), and the Network Access Server (NAS)
        Identifier. The request is encrypted using the shared secret specified in the
          <codeph>radiussecret</codeph> option. The RADIUS server responds with either
          <codeph>Access Accept</codeph> or <codeph>Access Reject</codeph>. </p>
      <note>RADIUS accounting is not supported.</note>
      <p> RADIUS authentication only works if the users already exist in the database.</p>
      <p>The RADIUS encryption vector requires SSL to be enabled in order to be cryptographically
        strong.</p>
      <section>
        <title>RADIUS Authentication Options</title>
        <parml>
          <plentry>
            <pt>radiusserver</pt>
            <pd>The name of the RADIUS server.</pd>
          </plentry>
          <plentry>
            <pt>radiussecret</pt>
            <pd>The RADIUS shared secret.</pd>
          </plentry>
          <plentry>
            <pt>radiusport</pt>
            <pd>The port to connect to on the RADIUS server.</pd>
          </plentry>
          <plentry>
            <pt>radiusidentifier</pt>
            <pd>NAS identifier in RADIUS requests.</pd>
          </plentry>
        </parml>
      </section>
      <p>Following are sample <codeph>pg_hba.conf</codeph> entries for RADIUS client
        authentication:<codeblock>hostssl  all all 0.0.0.0/0 radius radiusserver=servername radiussecret=<varname>sharedsecret</varname></codeblock></p>
    </body>
  </topic>
  <topic id="topic_hwn_bk2_jr">
    <title>Limiting Concurrent Connections</title>
    <body>
      <p>To limit the number of active concurrent sessions to your Greenplum Database system, you
        can configure the <codeph>max_connections</codeph> server configuration parameter. This is a
        local parameter, meaning that you must set it in the <codeph>postgresql.conf</codeph> file
        of the master, the standby master, and each segment instance (primary and mirror). The value
        of <codeph>max_connections</codeph> on segments must be 5-10 times the value on the master. </p>
      <p>When you set <codeph>max_connections</codeph>, you must also set the dependent parameter
          <codeph>max_prepared_transactions</codeph>. This value must be at least as large as the
        value of <codeph>max_connections</codeph> on the master, and segment instances should be set
        to the same value as the master. </p>
      <p>In <codeph>$MASTER_DATA_DIRECTORY/postgresql.conf</codeph> (including standby
        master):<codeblock>max_connections=100
max_prepared_transactions=100</codeblock></p>
      <p>In <codeph>SEGMENT_DATA_DIRECTORY/postgresql.conf</codeph> for all segment
        instances:<codeblock>max_connections=500
max_prepared_transactions=100</codeblock></p>
      <note>Note: Raising the values of these parameters may cause Greenplum Database to request
        more shared memory. To mitigate this effect, consider decreasing other memory-related
        parameters such as <codeph>gp_cached_segworkers_threshold</codeph>.</note>
      <p>To change the number of allowed connections:<ol id="ol_etb_rk2_jr">
          <li>Stop your Greenplum Database system:<codeblock>$ gpstop</codeblock></li>
          <li>On the master host, edit <codeph>$MASTER_DATA_DIRECTORY/postgresql.conf</codeph> and
            change the following two parameters:<ul id="ul_e5k_vk2_jr">
              <li><codeph>max_connections</codeph> – the number of active user sessions you want to
                allow plus the number of <codeph>superuser_reserved_connections</codeph>.</li>
              <li><codeph>max_prepared_transactions</codeph> – must be greater than or equal to
                  <codeph>max_connections</codeph>.</li>
            </ul></li>
          <li>On each segment instance, edit <codeph>SEGMENT_DATA_DIRECTORY/postgresql.conf</codeph>
            and change the following two parameters:<ul id="ul_iwf_1l2_jr">
              <li><codeph>max_connections</codeph> – must be 5-10 times the value on the
                master.</li>
              <li><codeph>max_prepared_transactions</codeph> – must be equal to the value on the
                master.</li>
            </ul></li>
          <li>Restart your Greenplum Database system:<codeblock>$ gpstart</codeblock></li>
        </ol></p>
    </body>
  </topic>
  <topic id="topic_ibc_nl2_jr">
    <title>Encrypting Client/Server Connections</title>
    <body>
      <p>Greenplum Database has native support for SSL connections between the client and the master
        server. SSL connections prevent third parties from snooping on the packets, and also prevent
        man-in-the-middle attacks. SSL should be used whenever the client connection goes through an
        insecure link, and must be used whenever client certificate authentication is used. </p>
      <note>For information about encrypting data between the <codeph>gpfdist</codeph> server and
        Greenplum Database segment hosts, see <xref href="Encryption.xml#gpfdist_connections"/>. </note>
      <p>To enable SSL requires that OpenSSL be installed on both the client and the master server
        systems. Greenplum can be started with SSL enabled by setting the server configuration
        parameter <codeph>ssl=on</codeph> in the master <codeph>postgresql.conf</codeph>. When
        starting in SSL mode, the server will look for the files <codeph>server.key</codeph> (server
        private key) and <codeph>server.crt</codeph> (server certificate) in the master data
        directory. These files must be set up correctly before an SSL-enabled Greenplum system can
        start.</p>
      <note type="important">Do not protect the private key with a passphrase. The server does not
        prompt for a passphrase for the private key, and the database startup fails with an error if
        one is required.</note>
      <p>A self-signed certificate can be used for testing, but a certificate signed by a
        certificate authority (CA) should be used in production, so the client can verify the
        identity of the server. Either a global or local CA can be used. If all the clients are
        local to the organization, a local CA is recommended. See <xref
          href="#topic_fzv_wb2_jr/create_a_cert" format="dita"/> for steps to create a self-signed
        certificate.</p>
    </body>
  </topic>
</topic>
